I ran this bug by the Keystone Meeting [0] to get a feel for what direction we should take for fixing this in the Fernet case. We have two options, the first is that username and user id have to be the same in the federated fernet case in order for it to work. The second is that we persist the user id and the user name in the fernet payload. Today, we only persist the user id. This will result in federated fernet tokens to be a little bigger, depending on the user name (pushing real close to the 255 character limit on non-federated Fernet tokens).

The general consensus in the meeting was to add the username to the Fernet payload. The full transcript can be found in the IRC meetings logs [0].

Currently, in both unscoped and scoped federated tokens, the
username value in the token is equal to the userid and not to
the value of the username in the external identity provider.
This makes WebSSO login to show the userid of the logged-in
user in the Horizon dashboard, whereas before it was showing
the actual user name.

This patch fixes the value of the username in the federated
tokens, which will fix the WebSSO issue as well, since Horizon
looks at the username value and displays that as the logged-in user.

Currently, in both unscoped and scoped federated tokens, the
username value in the token is equal to the userid and not to
the value of the username in the external identity provider.
This makes WebSSO login to show the userid of the logged-in
user in the Horizon dashboard, whereas before it was showing
the actual user name.

This patch fixes the value of the username in the federated
tokens, which will fix the WebSSO issue as well, since Horizon
looks at the username value and displays that as the logged-in user.